How privacy policies affect genetic testing

Catherine Tucker, professor at the MIT Sloan School of Management ,and Amalia R. Miller, an economist at the University of Virginia, were motivated to conduct the research because personal genetics is “an area where privacy really, really matters, when you think about how sensitive potentially your genomic data is.” States have adopted privacy laws precisely to ensure that apparent genetic risks are not the basis for discrimination in employment, insurance, and other facets of civic life.

Different types of privacy laws in U.S. states produce markedly different effects on the willingness of patients to have genetic testing done, according to a new study co-authored by an MIT professor.

As the research shows, policies that focus on the privacy risks of genetic testing, and ask for patient consent to those risks, lead to a reduction in tests performed. But policies that emphasize limits to further disclosure of genetic data without consent, and explicitly define genetic data as the property of the patient, lead to an increase in the number of tests performed.

“The one thing we found that had a positive effect [on the number of tests] was an approach where you gave patients the potential to actually control their own data,” says Catherine Tucker, a professor at the MIT Sloan School of Management who helped conduct the study.

By contrast, Tucker notes, “An approach which just emphasized consent, but with no parallel set of controls, actually the damaged the ability of hospitals to be able to persuade patients to adopt these tests.”

Genetic testing can provide indicators of an individual’s generalized risk of acquiring diseases and illnesses. Those indicators can spur people to pursue further diagnostic tests and treatments, and can reduce the incidence of disease itself. Genetic testing has also become more cost-efficient over the last decade, making it a much-touted method of personalizing medicine.

Overall, only a small percentage of the population — less than 1 percent — has gone through genetic testing in a hospital setting, which is what the study measured. However, with that as a baseline, the study shows how the different types of genetic privacy laws produce varying testing outcomes.

Compared to a baseline in which people overall have had testing done 0.54 percent of the time, policies emphasizing patient control of genetic data raise incidence of testing by 83 percent. But policies largely notifying patients of privacy risks, and asking them to consent to those risks without further control over their information, lowered testing by 69 percent. The study is based on federal survey data.

The paper, “Privacy Protection, Personalized Medicine, and Genetic Testing,” is forthcoming in print from the journal Management Science, where it has been published in online form. The authors are Tucker, who is the the Sloan Distinguished Professor of Management at MIT Sloan; and Amalia R. Miller, an economist at the University of Virginia.

Where privacy really, really matters

To conduct the study, the scholars used data from the National Health Interview Surveys, part of the Centers for Disease Control and Prevention (CDC). Those surveys include questions about genetic testing that relate to cancer risks; the study used three waves of CDC data that comprise a sample size of 81,543 respondents.

The researchers actually identified three main types of state-level genetic privacy policies. In addition to the two types of policies having a discernible impact on testing level — those emphasizing simple patient consent to privacy risks, and those ensuring greater patient control — another type of genetic privacy policy explicitly guarantees that the patient’s genetic data will not be used by insurers, employers, or other providers of long-term care or insurance.

However, despite the seemingly solid promise of privacy contained in this third type of policy, the researchers found it had a negligible impact on testing rates.

“An approach where you gave various guarantees about how the data would be used … actually had no effect,” Tucker observes.

The results reinforce the idea that the communication of privacy risks is itself an important part of privacy policy. After all, under either of the two types of policies that produce opposing effects on testing levels, it is at least possible that individual patients could see their data shared to an equal extent.

But if the policies are structured in ways that affect medical practices, including the frequency of testing, then the clinical outcomes, on aggregate, could differ.

For her part, Tucker says she and Miller were motivated to conduct the research because personal genetics is “an area where privacy really, really matters, when you think about how sensitive potentially your genomic data is.” States have adopted privacy laws precisely to ensure that apparent genetic risks are not the basis for discrimination in employment, insurance, and other facets of civic life.

From the hospital to the frontier

Tucker offers one specific qualification to the current study, since, as she notes, it focuses on genetic testing only in research hospitals — where patients have formal genetic counseling sessions before consenting to DNA testing. But there is also a private market for at-home genetic testing, for medical reasons or genealogy inquiries, and people’s privacy preferences in those cases may differ from those of hospital patients.

“Our evidence is applicable to what happens in research hospitals on the forefront of medicine, and the kind of patients they attract,” Tucker observes. “We look at a setting which is really quite formalized, a decision to get a personalized test in a hospital. There’s a whole other frontier out there of private testing companies.”

It is possible the less formal setting of home-based genetic testing might make people less wary of disclosing information. Alternately, people in hospitals might feel a heightened need for more medical information and thus be more likely to consent to testing.

In either case, Tucker notes, the U.S. health care system is still in the early stages of applying genetic testing technology, and it will be important to keep evaluating the interaction of privacy laws and citizens’ willingness to undergo genetic testing. The good news, she believes, is that state-level policies in this area largely represent good-faith efforts to protect privacy. Thus lawmakers might be willing to adjust their policies as new information about the empirical effects of those laws comes to light.

“I have some optimism that people want to do the right thing, and they’re just looking for evidence about what the right thing is,” Tucker says.